Sophos Windows users face black screens after false positive snafu

Black is the new BSOD

Users of Sophos’s security software were confronted with a black screen on starting up their Windows PC over the weekend as the resulted of a borked antivirus update.

The botched update meant that the Windows 7 version of winlogon.exe was incorrectly labelled as potentially malicious, resulting in chaos and confusion all around.

The problem was limited to users running a specific version of 32-bit Windows 7 SP1, according to Sophos.

In the Sophos Enterprise Console, in Sophos Central or in Sophos Home, users might also be confronted with the message below:

Virus/spyware 'Troj/FarFli-CT' has been detected in "C:\Windows\System32\winlogon.exe". Cleanup unavailable.

Sophos responded promptly to the false alarm, issuing a revised update together with advice on solving the problem on Sunday morning, as explained in a knowledge base article by the security software firm.

False positives are a well-known Achilles’ Heel of anti-malware packages and have been a problem for many years. All vendors suffer them from time to time. The effect of such mistakes is most keenly felt when core Windows applications are misdiagnosed as malign and shuffled out to quarantine.

The volume of updates vendors are obliged to issue every day in response to the rising ransomware tide means false positives have remained an issue despite improvements in quality control procedures.

More commentary on the latest snafu can be found in a blog post by industry veteran Graham Cluley here. ®